diff options
author | jdemeyer <jdemeyer@cage.ugent.be> | 2018-09-07 07:37:00 (GMT) |
---|---|---|
committer | Victor Stinner <vstinner@redhat.com> | 2018-09-07 07:37:00 (GMT) |
commit | 8f735485acf2e35a75d2fa019feb8f905598c4e5 (patch) | |
tree | 5c83af13e9684ef31260e332158ab5408cdbef02 | |
parent | 593bb30e82eded7f2ec02f7d1aa49742e6962113 (diff) | |
download | cpython-8f735485acf2e35a75d2fa019feb8f905598c4e5.zip cpython-8f735485acf2e35a75d2fa019feb8f905598c4e5.tar.gz cpython-8f735485acf2e35a75d2fa019feb8f905598c4e5.tar.bz2 |
bpo-25750: fix refcounts in type_getattro() (GH-6118)
When calling tp_descr_get(self, obj, type), make sure that
we own a strong reference to "self".
-rw-r--r-- | Misc/NEWS.d/next/Core and Builtins/2018-03-14-21-42-17.bpo-25750.lxgkQz.rst | 2 | ||||
-rw-r--r-- | Objects/typeobject.c | 17 |
2 files changed, 13 insertions, 6 deletions
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-03-14-21-42-17.bpo-25750.lxgkQz.rst b/Misc/NEWS.d/next/Core and Builtins/2018-03-14-21-42-17.bpo-25750.lxgkQz.rst new file mode 100644 index 0000000..09ffb36 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2018-03-14-21-42-17.bpo-25750.lxgkQz.rst @@ -0,0 +1,2 @@ +Fix rare Python crash due to bad refcounting in ``type_getattro()`` if a +descriptor deletes itself from the class. Patch by Jeroen Demeyer. diff --git a/Objects/typeobject.c b/Objects/typeobject.c index 52fcfeb..b9e69bf 100644 --- a/Objects/typeobject.c +++ b/Objects/typeobject.c @@ -3145,6 +3145,7 @@ type_getattro(PyTypeObject *type, PyObject *name) PyTypeObject *metatype = Py_TYPE(type); PyObject *meta_attribute, *attribute; descrgetfunc meta_get; + PyObject* res; if (!PyUnicode_Check(name)) { PyErr_Format(PyExc_TypeError, @@ -3166,6 +3167,7 @@ type_getattro(PyTypeObject *type, PyObject *name) meta_attribute = _PyType_Lookup(metatype, name); if (meta_attribute != NULL) { + Py_INCREF(meta_attribute); meta_get = Py_TYPE(meta_attribute)->tp_descr_get; if (meta_get != NULL && PyDescr_IsData(meta_attribute)) { @@ -3173,10 +3175,11 @@ type_getattro(PyTypeObject *type, PyObject *name) * writes. Assume the attribute is not overridden in * type's tp_dict (and bases): call the descriptor now. */ - return meta_get(meta_attribute, (PyObject *)type, - (PyObject *)metatype); + res = meta_get(meta_attribute, (PyObject *)type, + (PyObject *)metatype); + Py_DECREF(meta_attribute); + return res; } - Py_INCREF(meta_attribute); } /* No data descriptor found on metatype. Look in tp_dict of this @@ -3184,6 +3187,7 @@ type_getattro(PyTypeObject *type, PyObject *name) attribute = _PyType_Lookup(type, name); if (attribute != NULL) { /* Implement descriptor functionality, if any */ + Py_INCREF(attribute); descrgetfunc local_get = Py_TYPE(attribute)->tp_descr_get; Py_XDECREF(meta_attribute); @@ -3191,11 +3195,12 @@ type_getattro(PyTypeObject *type, PyObject *name) if (local_get != NULL) { /* NULL 2nd argument indicates the descriptor was * found on the target object itself (or a base) */ - return local_get(attribute, (PyObject *)NULL, - (PyObject *)type); + res = local_get(attribute, (PyObject *)NULL, + (PyObject *)type); + Py_DECREF(attribute); + return res; } - Py_INCREF(attribute); return attribute; } |